AES keys should have the CKA_VALUE_LEN attribute to say how long they are, so that PK11_GetKeyLength and PK11_GetKeyStrength work properly. I think this should happen in pkcs11.c:validateSecretKey, where it happens for all the other variable-length secret key types.
I should point out I'm using a token symmetric key. Looking into this a little deeper, I see that pkcs11u.c:pk11_FindSecretKeyAttribute has no code to return the CKA_VALUE_LEN field. So the problem may be there instead.
I'll add the code, though the NSS's use of CKA_VALUE_LEN appears to be a non-standard use. Longer term this should be raised with the pkcs #11 working group. bob
Created attachment 104016 [details] [diff] [review] Add CKA_VALUE_LEN to the attributes returned for token secret keys.
checked into tip.